The Human Factor in Internal Breaches

A good friend and I were recently reminiscing about how we first met and the experiences we had shared together both personally and professionally over a number of years.

Our friendship is a bit interesting as he is a retired white-collar crime supervisor from the FBI who also has a strong IT forensics and technology background. He also worked “crypto” (cryptography) during his time in the military and put that skill to use during his time with the bureau.

He also is a published author of a leading book on critical incident management and how to protect data and what to do in case of worse case scenarios. (If you want the name of the book, contact me at scottc@mviusa.com and I’ll forward it to you.)

I first met my friend at a local ISSA chapter meeting when I was working for a very well-known network security firm. I was tasked with putting together a public partnership with the FBI to promote better awareness and cooperation on matters of technology and security. (Look into your local Infraguard chapter if interested.)

After working together, we became good friends hosting local seminars and developing other projects to enhance the knowledge and best practices that would help keep organizations safe and within compliance according to the law.

One reality he kept stressing to me was the biggest threat to an organization’s security: the human factors found within your organization. Time and time again he would drill that fact into the attendees at the seminars and back it up with the crime statistics the bureau kept on such things.

With that in mind, my systems engineer and I were conducting a security presentation to a very large and well-known financial institution in our area. Our task that day was to show how our holistic security appliances, software and processes could help secure their network.

During our presentation, we worked with their Internal IT staff and started running our first layer of security – which was an intrusion detection appliance. As I went about my presentation, my systems engineer caught my eye and gave me nod to meet him out in the hallway.

I excused myself and we went out to discuss his concerns.

Apparently, our device had immediately picked up a background process running, which at that time was a brute force password cracker program called: “Jack the Ripper.” The alarms on it were off the charts and he wondered how we should handle that situation.

I went back into the meeting and asked to speak to the CIO in private, where I shared our results.

I told him to leave the intrusion detection appliance running. They were welcome to it as long as they needed it to complete their internal investigation. I also handed him the contact information of my FBI friend and advised to call him.

The FBI came in and completed their investigation, which discovered one of the company’s IT staff was running the program to gain password access to the accounts. The culprit was charged and later convicted and sentenced – and we made a very good sale out of the situation.

Lessons learned: No matter how much security or how diligent you are, the human factor is something that has to be addressed and protected against much more than the perceived outside threats.

Next Page: Breaches Underscore

The recent breach of account numbers at several large retailers underscores this issue even more. I think you will see that when the investigations are finally completed and the post-mortem results are published there will have been a strong human element inside these organizations or their tech partners that were the weak link. I could be wrong on this assumption, but wouldn’t bet against it.

So how does this relate to our current environment in the credit union industry? For starters, understand that whatever methodology and ideology your organization subscribes to, people are ultimately your greatest strength – but also your weakest link.

When it comes down to securing data and member information, it becomes a matter of degrees of trust. Who do you trust with what levels of access and responsibility? For example, I would be willing to bet very few organizations have policies against having cell phones at work.

I’m not going to be popular with this statement, but they don’t belong there – period. They can easily be used to take pictures of account information on screens, used as mass storage devices, and at the very least can be used to inject harmful programs into an otherwise secure environment.

Solution? Lock them up at work – the cell phones, that is.

Another area of risk is access to the unsecured documents in your imaging systems. Are your paper and electronic files secure? I have seen too many supposed imaging systems that lack even the basic constraints regarding security. At the very least, make sure there is a complete audit trail on access of documents and the ability to set multiple layers of security on the printing, access, and export of documents.

Failure to do so can result in the loss of key data just as easily as a hacker can gain access to electronic files. Couple that with a smart phone and you have a recipe for big time breaches.

For more information on this issue, research regulation DoD 5015.2 dealing with records management. Make sure your imaging providers can meet this level of compliance.

Although this article is as a much about reliving the glory days with my friend, the lessons learned over a lifetime of experience, and prosecution of bad guys, it should leave no doubt that the better approach to securing your members’ data is this: Creating an environment for your employees that makes it difficult for them to access both physical and electronic files unsupervised can have long-term benefits for all involved.

What I do hope is that you begin to approach how to better handle your own security procedures by stirring some thought about what you are currently doing and how you can do it better especially with the human component.

I will say it is good to look back at times to move forward because as the saying goes, “Those who do not remember their past mistakes are bound to repeat them in the future.”

What proactive mechanisms or security processes are in place at your organization to mitigate any possible breaches?